Hello!
I have some Windows event log data with 5 different event codes. I need to count by each of the event codes and then perform basic arithmetic on those counts. For example, event code 21 is logon, event code 23 is logoff. I need to count logons and then logoffs and then subtract logoffs from logons. I can do this all using stats for a 1 time answer, but I really want to be able to dump it into something like timechart so I can see the difference over time (hourly or daily).
The best I have right now is the one-time view with Stats:
host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | stats count(eval(EventCode="21")) AS "Logons", count(eval(EventCode="23")) AS "Logoffs" | eval Difference = (Logons - Logoffs) | stats sum(Difference)
Or the timechart with each of the individual event codes:
host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | timechart count by EventCode
Does anyone have any suggestions? Thanks in advance!
↧